1 Multiparty Homomorphic Encryption Alex Padron, Guillermo Vargas Abstract—An interesting and desirable encryption property tation on ciphertexts, without revealing any information about is homomorphism. A homomorphic encryption scheme is a the underlying plaintext. Given a homomorphic encryption cryptographic system that allows computation to be executed scheme, a client could run computational tasks using encrypted directly on encrypted data. Homomorphic computation could include a wide series of operations such as addition, multi- inputs on an untrusted server without sacrificing confidential- plication, and quadratic functions. The most powerful class ity. There is a wide range of applications for homomorphic of such schemes is described as fully homomorphic. A fully encryption schemes such as anonymous voting, confidential homomorphic encryption scheme is an encryption scheme that medical device algorithms, and cloud computing. supports arbitrary computation on encrypted data. Partially homomorphic schemes are encryption schemes Several partially homomorphic encryption schemes have been developed that support limited operations, such as addition or that support operation on ciphertexts, but do not support multiplication. Although these schemes perform relatively well in arbitrary computation on ciphertexts. There currently exist practice, they have few applications due to their restricted set of several partially homomorphic encryption schemes. Most of operations. Conversely, there exist fully homomorphic encryption these schemes only support either addition or multiplication. schemes that support both addition and multiplication, but run Such encryption schemes tend to perform well in practice. Un- rather slowly in practice. Consequently, homomorphic encryption has found few applications in real world systems, despite its fortunately, their computational restrictions limit their potential potential to offer confidentiality in a ubiquitous technology: cloud applications. computing. Fully homomorphic encryption schemes are schemes that Cloud computing has the potential to be one the most expan- support arbitrary computation on ciphertexts. Fully homomor- sive applications of homomorphic encryption. Unfortunately, it phic encryption schemes are better suited for real world appli- requires a fully homomorphic cryptosystem that performs well in practice. In the interest of this application, we have developed cations, because they support arbitrary computation. However, a new fully homomorphic cryptosystem. Our setting strays from the few existing fully homomorphic encryption schemes run the traditional encryption setting in that our primary function too slowly to support any practical applications. is not messaging. In fact, our scheme does not need to support We propose a fully homomorphic encryption scheme built encrypted messaging at all, though it will utilize it. We propose a fully homomorphic encryption scheme under a weakened model, on multiparty computation. We have designed this scheme in which the encrypting party is also the decrypting party. The with cloud computing as the potential application in mind. cryptosystem is built on multiparty computation. In particular, In particular, the system described in the following sections is we are weakening the traditional homomorphic encryption model designed to support arbitrary operations over the integers in a as follows. Plaintext messages will be encrypted using multiple way that places most of the computational load on the servers. keys in a secret sharing mechanism, so that only parties that know every key can decrypt a ciphertext. Our system offers Furthermore, note that our proposed encryption scheme does computation on ciphertext by allowing parties with any key to not support messaging between parties, but instead focuses perform some restricted operations. In order for a full operation on providing a client the ability to perform computation on to be executed, an analogous operation needs to be executed with untrusted servers. each key. The encryption and operation methods are inspired by one time pads and symbolic execution. The cryptosystem is inspired by Shamir’s secret sharing construction and multiparty II. PREVIOUS WORK computation. Several partially homomorphic encryption schemes have been developed already. Some example of multiplicative ho- I. INTRODUCTION momorphic encryption schemes are unpadded RSA encryption Encryption is primarily used as a means to keep data and the ElGamal cryptosystem. Similarly, the Goldwasser- confidential and integrous while sharing it with another party. Micali cryptosystem, the Benaloh cryptosystem, and the Pail- Several such encryption schemes exist, but most of them are lier cryptosystem are all examples of additive homomorphic only concerned with read and write operations. In particular, encryption schemes. Implementations of these schemes have common encryption schemes such as padded RSA encryption even performed well enough to find applications in systems and encryption through Diffie-Hellman key exchange are only today, such as anonymous voting systems [5]. There also exist designed to allow parties to encrypt data when trying to some fully homomorphic encryption schemes, but they have write or send messages, and decrypt data when trying to yet to be applied to real world systems in an time-efficient read or receive messages [14] [15]. This is sufficient for manner. simple applications such as sending messages and storing data, We examined all of the encryption schemes listed above, but more complex applications could benefit from modify and even implemented the ElGamal and Paillier cryptosystems. operations that could be applied to encrypted data. The following subsections discuss a few of the homomor- Such encryption schemes are called homomorphic. Specifi- phic encryption schemes that we studied before trying to cally, homomorphic encryption schemes support direct compu- develop our own scheme. Studying these schemes revealed 2 several components and attributes that are essential to any This shows that unpadded RSA encryption satisfies the homomorphic encryption scheme. In particular, the following multiplicative homomorphic property. sections will summarize four components of each scheme: key generation, encryption, homomorphic computation, and Decryption: A party can decrypt a message encrypted under decryption. Additionally, we will analyze how confidentiality its public key (n; e) using its corresponding private key (n; d) is maintained in each scheme. as follows. A. Unpadded RSA m = "(m)d (mod n) Key Generation: A party begins key generation by ran- m = med (mod n) domly selecting two prime integers p and q. m = m (mod n) $ The correctness of the decrypted output follows from the p − P d e n $ fact that and are inverses in ’s multiplicative group, q − P implying that e · d = 1 (mod n) [14]. The party then computes n and φ(n) as follows. Confidentiality: Unfortunately, unpadded RSA encryption does not satisfy confidentiality to a high degree. It is vul- n = p · q nerable to both chosen ciphertext attacks and chosen plaintext φ(n) = (p − 1) · (q − 1) attacks. The vulnerability to chosen plaintext attacks is obvious from the fact that the encryption scheme is deterministic. Finally, the party randomly selects an positive integer e in Adversaries could easily distinguish between the encryption of the less than φ(n) that is coprime with φ(n), and computes two known plaintexts by encrypting the plaintext themselves. its modular multiplicative inverse. Worse yet, if the message space is too small, adversaries could simply brute force search the set of messages and $ + e − Zn j gcd(e; phi(n)) = 1 build a rainbow table. Unpadded RSA really only satisfies d = e−1 (mod φ(n)) confidentiality in the case where the message space is too large to search, and plaintexts are selected in a uniform distribution Ultimately, the party’s public key is (n; e), and its private to make repeats unlikely. This weaker degree of confidentiality key is (n; d) [14]. is enforced by the difficulty of prime factorization [16], which is used to prevent an adversary from compromising a party’s Encryption: A message m can be encrypted under a party’s private key. RSA public key (n; e) as follows [14]. B. ElGamal e "(m) = m (mod n) Key Generation: Under the ElGamal encryption scheme, a Homomorphic Computation: The RSA algorithm’s multi- party generates a public key (G; q; g; h) and private key x by plicative homomorphic property is built on the power of a the following procedure. First, the party selects an cyclic group G of order q with generator g. The party can then randomly product property. In particular, encrypting two messages m1 select its private key x. and m2 would produce the following ciphertexts. $ + e x − Zq "(m1) = m1 (mod n) e "(m2) = m2 (mod n) Next, the party can compute the last component of its public key, h. It follows that the product of these ciphertexts can be derived as follows. h = gx "(m1) · "(m2) (mod n) Finally, the party can publish G; q; g; h) as its public key e e and retain x as its private key [1]. m1 · m2 (mod n) By the power of a product property, it is clear that encrypt- Encryption: A message m can be encrypted under an ing the product of m1 and m2 produces a ciphertext equivalent ElGamal public key as follows. First, the encrypting party to the product of "(m1) and "(m2). randomly selects some integer y less than q, and uses it to compute the first part of the ciphertext, c1. e "(m1 · m2) = (m1 · m2) (mod n) e e $ + "(m1